1. 19 Oct, 2023 16 commits
  2. 18 Oct, 2023 11 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: revert do not remove elements if set backend implements .abort · f86fb940
      Pablo Neira Ayuso authored
      nf_tables_abort_release() path calls nft_set_elem_destroy() for
      NFT_MSG_NEWSETELEM which releases the element, however, a reference to
      the element still remains in the working copy.
      
      Fixes: ebd032fa ("netfilter: nf_tables: do not remove elements if set backend implements .abort")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      f86fb940
    • Pablo Neira Ayuso's avatar
      netfilter: nft_set_rbtree: .deactivate fails if element has expired · d111692a
      Pablo Neira Ayuso authored
      This allows to remove an expired element which is not possible in other
      existing set backends, this is more noticeable if gc-interval is high so
      expired elements remain in the tree. On-demand gc also does not help in
      this case, because this is delete element path. Return NULL if element
      has expired.
      
      Fixes: 8d8540c4 ("netfilter: nft_set_rbtree: add timeout support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      d111692a
    • Phil Sutter's avatar
      selftests: netfilter: Run nft_audit.sh in its own netns · 2e2d9c7d
      Phil Sutter authored
      Don't mess with the host's firewall ruleset. Since audit logging is not
      per-netns, add an initial delay of a second so other selftests' netns
      cleanups have a chance to finish.
      
      Fixes: e8dbde59 ("selftests: netfilter: Test nf_tables audit logging")
      Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      2e2d9c7d
    • Phil Sutter's avatar
      netfilter: nf_tables: audit log object reset once per table · 1baf0152
      Phil Sutter authored
      When resetting multiple objects at once (via dump request), emit a log
      message per table (or filled skb) and resurrect the 'entries' parameter
      to contain the number of objects being logged for.
      
      To test the skb exhaustion path, perform some bulk counter and quota
      adds in the kselftest.
      Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
      Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Acked-by: Paul Moore <paul@paul-moore.com> (Audit)
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      1baf0152
    • Geert Uytterhoeven's avatar
      neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section · 2915240e
      Geert Uytterhoeven authored
      When CONFIG_IPV6=n, and building with W=1:
      
          In file included from include/trace/define_trace.h:102,
      		     from include/trace/events/neigh.h:255,
      		     from net/core/net-traces.c:51:
          include/trace/events/neigh.h: In function ‘trace_event_raw_event_neigh_create’:
          include/trace/events/neigh.h:42:34: error: variable ‘pin6’ set but not used [-Werror=unused-but-set-variable]
             42 |                 struct in6_addr *pin6;
      	  |                                  ^~~~
          include/trace/trace_events.h:402:11: note: in definition of macro ‘DECLARE_EVENT_CLASS’
            402 |         { assign; }                                                     \
      	  |           ^~~~~~
          include/trace/trace_events.h:44:30: note: in expansion of macro ‘PARAMS’
             44 |                              PARAMS(assign),                   \
      	  |                              ^~~~~~
          include/trace/events/neigh.h:23:1: note: in expansion of macro ‘TRACE_EVENT’
             23 | TRACE_EVENT(neigh_create,
      	  | ^~~~~~~~~~~
          include/trace/events/neigh.h:41:9: note: in expansion of macro ‘TP_fast_assign’
             41 |         TP_fast_assign(
      	  |         ^~~~~~~~~~~~~~
          In file included from include/trace/define_trace.h:103,
      		     from include/trace/events/neigh.h:255,
      		     from net/core/net-traces.c:51:
          include/trace/events/neigh.h: In function ‘perf_trace_neigh_create’:
          include/trace/events/neigh.h:42:34: error: variable ‘pin6’ set but not used [-Werror=unused-but-set-variable]
             42 |                 struct in6_addr *pin6;
      	  |                                  ^~~~
          include/trace/perf.h:51:11: note: in definition of macro ‘DECLARE_EVENT_CLASS’
             51 |         { assign; }                                                     \
      	  |           ^~~~~~
          include/trace/trace_events.h:44:30: note: in expansion of macro ‘PARAMS’
             44 |                              PARAMS(assign),                   \
      	  |                              ^~~~~~
          include/trace/events/neigh.h:23:1: note: in expansion of macro ‘TRACE_EVENT’
             23 | TRACE_EVENT(neigh_create,
      	  | ^~~~~~~~~~~
          include/trace/events/neigh.h:41:9: note: in expansion of macro ‘TP_fast_assign’
             41 |         TP_fast_assign(
      	  |         ^~~~~~~~~~~~~~
      
      Indeed, the variable pin6 is declared and initialized unconditionally,
      while it is only used and needlessly re-initialized when support for
      IPv6 is enabled.
      
      Fix this by dropping the unused variable initialization, and moving the
      variable declaration inside the existing section protected by a check
      for CONFIG_IPV6.
      
      Fixes: fc651001 ("neighbor: Add tracepoint to __neigh_create")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Tested-by: Simon Horman <horms@kernel.org> # build-tested
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2915240e
    • Bagas Sanjaya's avatar
      Revert "net: wwan: iosm: enable runtime pm support for 7560" · 1db34aa5
      Bagas Sanjaya authored
      Runtime power management support breaks Intel LTE modem where dmesg dump
      showes timeout errors:
      
      ```
      [   72.027442] iosm 0000:01:00.0: msg timeout
      [   72.531638] iosm 0000:01:00.0: msg timeout
      [   73.035414] iosm 0000:01:00.0: msg timeout
      [   73.540359] iosm 0000:01:00.0: msg timeout
      ```
      
      Furthermore, when shutting down with `poweroff` and modem attached, the
      system rebooted instead of powering down as expected. The modem works
      again only after power cycling.
      
      Revert runtime power management support for IOSM driver as introduced by
      commit e4f5073d ("net: wwan: iosm: enable runtime pm support for
      7560").
      
      Fixes: e4f5073d ("net: wwan: iosm: enable runtime pm support for 7560")
      Reported-by: default avatarMartin <mwolf@adiumentum.com>
      Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217996
      Link: https://lore.kernel.org/r/267abf02-4b60-4a2e-92cd-709e3da6f7d3@gmail.com/Signed-off-by: default avatarBagas Sanjaya <bagasdotme@gmail.com>
      Reviewed-by: default avatarLoic Poulain <loic.poulain@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1db34aa5
    • Gavrilov Ilia's avatar
      net: pktgen: Fix interface flags printing · 1d30162f
      Gavrilov Ilia authored
      Device flags are displayed incorrectly:
      1) The comparison (i == F_FLOW_SEQ) is always false, because F_FLOW_SEQ
      is equal to (1 << FLOW_SEQ_SHIFT) == 2048, and the maximum value
      of the 'i' variable is (NR_PKT_FLAG - 1) == 17. It should be compared
      with FLOW_SEQ_SHIFT.
      
      2) Similarly to the F_IPSEC flag.
      
      3) Also add spaces to the print end of the string literal "spi:%u"
      to prevent the output from merging with the flag that follows.
      
      Found by InfoTeCS on behalf of Linux Verification Center
      (linuxtesting.org) with SVACE.
      
      Fixes: 99c6d3d2 ("pktgen: Remove brute-force printing of flags")
      Signed-off-by: default avatarGavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1d30162f
    • Jakub Kicinski's avatar
      Merge tag 'ipsec-2023-10-17' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · f6c7b422
      Jakub Kicinski authored
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2023-10-17
      
      1) Fix a slab-use-after-free in xfrm_policy_inexact_list_reinsert.
         From Dong Chenchen.
      
      2) Fix data-races in the xfrm interfaces dev->stats fields.
         From Eric Dumazet.
      
      3) Fix a data-race in xfrm_gen_index.
         From Eric Dumazet.
      
      4) Fix an inet6_dev refcount underflow.
         From Zhang Changzhong.
      
      5) Check the return value of pskb_trim in esp_remove_trailer
         for esp4 and esp6. From Ma Ke.
      
      6) Fix a data-race in xfrm_lookup_with_ifid.
         From Eric Dumazet.
      
      * tag 'ipsec-2023-10-17' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
        xfrm: fix a data-race in xfrm_lookup_with_ifid()
        net: ipv4: fix return value check in esp_remove_trailer
        net: ipv6: fix return value check in esp_remove_trailer
        xfrm6: fix inet6_dev refcount underflow problem
        xfrm: fix a data-race in xfrm_gen_index()
        xfrm: interface: use DEV_STATS_INC()
        net: xfrm: skip policies marked as dead while reinserting policies
      ====================
      
      Link: https://lore.kernel.org/r/20231017083723.1364940-1-steffen.klassert@secunet.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f6c7b422
    • Dan Carpenter's avatar
      net: usb: smsc95xx: Fix an error code in smsc95xx_reset() · c53647a5
      Dan Carpenter authored
      Return a negative error code instead of success.
      
      Fixes: 2f7ca802 ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/147927f0-9ada-45cc-81ff-75a19dd30b76@moroto.mountainSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c53647a5
    • Eric Dumazet's avatar
      tun: prevent negative ifindex · cbfbfe3a
      Eric Dumazet authored
      After commit 956db0a1 ("net: warn about attempts to register
      negative ifindex") syzbot is able to trigger the following splat.
      
      Negative ifindex are not supported.
      
      WARNING: CPU: 1 PID: 6003 at net/core/dev.c:9596 dev_index_reserve+0x104/0x210
      Modules linked in:
      CPU: 1 PID: 6003 Comm: syz-executor926 Not tainted 6.6.0-rc4-syzkaller-g19af4a4ed414 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
      pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      pc : dev_index_reserve+0x104/0x210
      lr : dev_index_reserve+0x100/0x210
      sp : ffff800096a878e0
      x29: ffff800096a87930 x28: ffff0000d04380d0 x27: ffff0000d04380f8
      x26: ffff0000d04380f0 x25: 1ffff00012d50f20 x24: 1ffff00012d50f1c
      x23: dfff800000000000 x22: ffff8000929c21c0 x21: 00000000ffffffea
      x20: ffff0000d04380e0 x19: ffff800096a87900 x18: ffff800096a874c0
      x17: ffff800084df5008 x16: ffff80008051f9c4 x15: 0000000000000001
      x14: 1fffe0001a087198 x13: 0000000000000000 x12: 0000000000000000
      x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
      x8 : ffff0000d41c9bc0 x7 : 0000000000000000 x6 : 0000000000000000
      x5 : ffff800091763d88 x4 : 0000000000000000 x3 : ffff800084e04748
      x2 : 0000000000000001 x1 : 00000000fead71c7 x0 : 0000000000000000
      Call trace:
      dev_index_reserve+0x104/0x210
      register_netdevice+0x598/0x1074 net/core/dev.c:10084
      tun_set_iff+0x630/0xb0c drivers/net/tun.c:2850
      __tun_chr_ioctl+0x788/0x2af8 drivers/net/tun.c:3118
      tun_chr_ioctl+0x38/0x4c drivers/net/tun.c:3403
      vfs_ioctl fs/ioctl.c:51 [inline]
      __do_sys_ioctl fs/ioctl.c:871 [inline]
      __se_sys_ioctl fs/ioctl.c:857 [inline]
      __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:857
      __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
      invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
      el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
      do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
      el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678
      el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
      el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
      irq event stamp: 11348
      hardirqs last enabled at (11347): [<ffff80008a716574>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
      hardirqs last enabled at (11347): [<ffff80008a716574>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
      hardirqs last disabled at (11348): [<ffff80008a627820>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:436
      softirqs last enabled at (11138): [<ffff8000887ca53c>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
      softirqs last enabled at (11138): [<ffff8000887ca53c>] release_sock+0x15c/0x1b0 net/core/sock.c:3531
      softirqs last disabled at (11136): [<ffff8000887ca41c>] spin_lock_bh include/linux/spinlock.h:356 [inline]
      softirqs last disabled at (11136): [<ffff8000887ca41c>] release_sock+0x3c/0x1b0 net/core/sock.c:3518
      
      Fixes: fb7589a1 ("tun: Add ability to create tun device with given index")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Link: https://lore.kernel.org/r/20231016180851.3560092-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cbfbfe3a
    • Neal Cardwell's avatar
      tcp: fix excessive TLP and RACK timeouts from HZ rounding · 1c2709cf
      Neal Cardwell authored
      We discovered from packet traces of slow loss recovery on kernels with
      the default HZ=250 setting (and min_rtt < 1ms) that after reordering,
      when receiving a SACKed sequence range, the RACK reordering timer was
      firing after about 16ms rather than the desired value of roughly
      min_rtt/4 + 2ms. The problem is largely due to the RACK reorder timer
      calculation adding in TCP_TIMEOUT_MIN, which is 2 jiffies. On kernels
      with HZ=250, this is 2*4ms = 8ms. The TLP timer calculation has the
      exact same issue.
      
      This commit fixes the TLP transmit timer and RACK reordering timer
      floor calculation to more closely match the intended 2ms floor even on
      kernels with HZ=250. It does this by adding in a new
      TCP_TIMEOUT_MIN_US floor of 2000 us and then converting to jiffies,
      instead of the current approach of converting to jiffies and then
      adding th TCP_TIMEOUT_MIN value of 2 jiffies.
      
      Our testing has verified that on kernels with HZ=1000, as expected,
      this does not produce significant changes in behavior, but on kernels
      with the default HZ=250 the latency improvement can be large. For
      example, our tests show that for HZ=250 kernels at low RTTs this fix
      roughly halves the latency for the RACK reorder timer: instead of
      mostly firing at 16ms it mostly fires at 8ms.
      Suggested-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarYuchung Cheng <ycheng@google.com>
      Fixes: bb4d991a ("tcp: adjust tail loss probe timeout")
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20231015174700.2206872-1-ncardwell.sw@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1c2709cf
  3. 17 Oct, 2023 4 commits
    • Shailend Chand's avatar
      gve: Do not fully free QPL pages on prefill errors · 95535e37
      Shailend Chand authored
      The prefill function should have only removed the page count bias it
      added. Fully freeing the page will cause gve_free_queue_page_list to
      free a page the driver no longer owns.
      
      Fixes: 82fd151d ("gve: Reduce alloc and copy costs in the GQ rx path")
      Signed-off-by: default avatarShailend Chand <shailend@google.com>
      Link: https://lore.kernel.org/r/20231014014121.2843922-1-shailend@google.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      95535e37
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2023-10-13' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 2b10740c
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - Fix race when opening vhci device
       - Avoid memcmp() out of bounds warning
       - Correctly bounds check and pad HCI_MON_NEW_INDEX name
       - Fix using memcmp when comparing keys
       - Ignore error return for hci_devcd_register() in btrtl
       - Always check if connection is alive before deleting
       - Fix a refcnt underflow problem for hci_conn
      
      * tag 'for-net-2023-10-13' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name
        Bluetooth: avoid memcmp() out of bounds warning
        Bluetooth: hci_sock: fix slab oob read in create_monitor_event
        Bluetooth: btrtl: Ignore error return for hci_devcd_register()
        Bluetooth: hci_event: Fix coding style
        Bluetooth: hci_event: Fix using memcmp when comparing keys
        Bluetooth: Fix a refcnt underflow problem for hci_conn
        Bluetooth: hci_sync: always check if connection is alive before deleting
        Bluetooth: Reject connection with the device which has same BD_ADDR
        Bluetooth: hci_event: Ignore NULL link key
        Bluetooth: ISO: Fix invalid context error
        Bluetooth: vhci: Fix race when opening vhci device
      ====================
      
      Link: https://lore.kernel.org/r/20231014031336.1664558-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2b10740c
    • Krzysztof Kozlowski's avatar
      nfc: nci: fix possible NULL pointer dereference in send_acknowledge() · 7937609c
      Krzysztof Kozlowski authored
      Handle memory allocation failure from nci_skb_alloc() (calling
      alloc_skb()) to avoid possible NULL pointer dereference.
      Reported-by: default avatar黄思聪 <huangsicong@iie.ac.cn>
      Fixes: 391d8a2d ("NFC: Add NCI over SPI receive")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20231013184129.18738-1-krzysztof.kozlowski@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7937609c
    • Christoph Paasch's avatar
      netlink: Correct offload_xstats size · 503930f8
      Christoph Paasch authored
      rtnl_offload_xstats_get_size_hw_s_info_one() conditionalizes the
      size-computation for IFLA_OFFLOAD_XSTATS_HW_S_INFO_USED based on whether
      or not the device has offload_xstats enabled.
      
      However, rtnl_offload_xstats_fill_hw_s_info_one() is adding the u8 for
      that field uncondtionally.
      
      syzkaller triggered a WARNING in rtnl_stats_get due to this:
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 754 at net/core/rtnetlink.c:5982 rtnl_stats_get+0x2f4/0x300
      Modules linked in:
      CPU: 0 PID: 754 Comm: syz-executor148 Not tainted 6.6.0-rc2-g331b78eb12af #45
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
      RIP: 0010:rtnl_stats_get+0x2f4/0x300 net/core/rtnetlink.c:5982
      Code: ff ff 89 ee e8 7d 72 50 ff 83 fd a6 74 17 e8 33 6e 50 ff 4c 89 ef be 02 00 00 00 e8 86 00 fa ff e9 7b fe ff ff e8 1c 6e 50 ff <0f> 0b eb e5 e8 73 79 7b 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90
      RSP: 0018:ffffc900006837c0 EFLAGS: 00010293
      RAX: ffffffff81cf7f24 RBX: ffff8881015d9000 RCX: ffff888101815a00
      RDX: 0000000000000000 RSI: 00000000ffffffa6 RDI: 00000000ffffffa6
      RBP: 00000000ffffffa6 R08: ffffffff81cf7f03 R09: 0000000000000001
      R10: ffff888101ba47b9 R11: ffff888101815a00 R12: ffff8881017dae00
      R13: ffff8881017dad00 R14: ffffc90000683ab8 R15: ffffffff83c1f740
      FS:  00007fbc22dbc740(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020000046 CR3: 000000010264e003 CR4: 0000000000170ef0
      Call Trace:
       <TASK>
       rtnetlink_rcv_msg+0x677/0x710 net/core/rtnetlink.c:6480
       netlink_rcv_skb+0xea/0x1c0 net/netlink/af_netlink.c:2545
       netlink_unicast+0x430/0x500 net/netlink/af_netlink.c:1342
       netlink_sendmsg+0x4fc/0x620 net/netlink/af_netlink.c:1910
       sock_sendmsg+0xa8/0xd0 net/socket.c:730
       ____sys_sendmsg+0x22a/0x320 net/socket.c:2541
       ___sys_sendmsg+0x143/0x190 net/socket.c:2595
       __x64_sys_sendmsg+0xd8/0x150 net/socket.c:2624
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x6e/0xd8
      RIP: 0033:0x7fbc22e8d6a9
      Code: 5c c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 37 0d 00 f7 d8 64 89 01 48
      RSP: 002b:00007ffc4320e778 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000004007d0 RCX: 00007fbc22e8d6a9
      RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
      RBP: 0000000000000001 R08: 0000000000000000 R09: 00000000004007d0
      R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffc4320e898
      R13: 00007ffc4320e8a8 R14: 00000000004004a0 R15: 00007fbc22fa5a80
       </TASK>
      ---[ end trace 0000000000000000 ]---
      
      Which didn't happen prior to commit bf9f1baa ("net: add dedicated
      kmem_cache for typical/small skb->head") as the skb always was large
      enough.
      
      Fixes: 0e7788fd ("net: rtnetlink: Add UAPI for obtaining L3 offload xstats")
      Signed-off-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Reviewed-by: default avatarPetr Machata <petrm@nvidia.com>
      Link: https://lore.kernel.org/r/20231013041448.8229-1-cpaasch@apple.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      503930f8
  4. 16 Oct, 2023 1 commit
  5. 15 Oct, 2023 7 commits
    • David S. Miller's avatar
      Merge branch 'ovs-selftests' · 883f0dc0
      David S. Miller authored
      From: Aaron Conole <aconole@redhat.com>
      To: netdev@vger.kernel.org
      Cc: dev@openvswitch.org, linux-kselftest@vger.kernel.org,
      	linux-kernel@vger.kernel.org, Pravin B Shelar <pshelar@ovn.org>,
      	"David S. Miller" <davem@davemloft.net>,
      	Eric Dumazet <edumazet@google.com>,
      	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
      	Adrian Moreno <amorenoz@redhat.com>,
      	Eelco Chaudron <echaudro@redhat.com>,
      	shuah@kernel.org
      Subject: [PATCH net v2 0/4] selftests: openvswitch: Minor fixes for some systems
      Date: Wed, 11 Oct 2023 15:49:35 -0400	[thread overview]
      Message-ID: <20231011194939.704565-1-aconole@redhat.com> (raw)
      
      A number of corner cases were caught when trying to run the selftests on
      older systems.  Missed skip conditions, some error cases, and outdated
      python setups would all report failures but the issue would actually be
      related to some other condition rather than the selftest suite.
      
      Address these individual cases.
      ====================
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      883f0dc0
    • Aaron Conole's avatar
      selftests: openvswitch: Fix the ct_tuple for v4 · 8eff0e06
      Aaron Conole authored
      The ct_tuple v4 data structure decode / encode routines were using
      the v6 IP address decode and relying on default encode. This could
      cause exceptions during encode / decode depending on how a ct4
      tuple would appear in a netlink message.
      
      Caught during code review.
      
      Fixes: e52b07aa ("selftests: openvswitch: add flow dump support")
      Signed-off-by: default avatarAaron Conole <aconole@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8eff0e06
    • Aaron Conole's avatar
      selftests: openvswitch: Skip drop testing on older kernels · 76035fd1
      Aaron Conole authored
      Kernels that don't have support for openvswitch drop reasons also
      won't have the drop counter reasons, so we should skip the test
      completely.  It previously wasn't possible to build a test case
      for this without polluting the datapath, so we introduce a mechanism
      to clear all the flows from a datapath allowing us to test for
      explicit drop actions, and then clear the flows to build the
      original test case.
      
      Fixes: 42420291 ("selftests: openvswitch: add explicit drop testcase")
      Signed-off-by: default avatarAaron Conole <aconole@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      76035fd1
    • Aaron Conole's avatar
      selftests: openvswitch: Catch cases where the tests are killed · af846afa
      Aaron Conole authored
      In case of fatal signal, or early abort at least cleanup the current
      test case.
      
      Fixes: 25f16c87 ("selftests: add openvswitch selftest suite")
      Signed-off-by: default avatarAaron Conole <aconole@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af846afa
    • Aaron Conole's avatar
      selftests: openvswitch: Add version check for pyroute2 · 92e37f20
      Aaron Conole authored
      Paolo Abeni reports that on some systems the pyroute2 version isn't
      new enough to run the test suite.  Ensure that we support a minimum
      version of 0.6 for all cases (which does include the existing ones).
      The 0.6.1 version was released in May of 2021, so should be
      propagated to most installations at this point.
      
      The alternative that Paolo proposed was to only skip when the
      add-flow is being run.  This would be okay for most cases, except
      if a future test case is added that needs to do flow dump without
      an associated add (just guessing).  In that case, it could also be
      broken and we would need additional skip logic anyway.  Just draw
      a line in the sand now.
      
      Fixes: 25f16c87 ("selftests: add openvswitch selftest suite")
      Reported-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Closes: https://lore.kernel.org/lkml/8470c431e0930d2ea204a9363a60937289b7fdbe.camel@redhat.com/Signed-off-by: default avatarAaron Conole <aconole@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      92e37f20
    • Willem de Bruijn's avatar
      net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation · fc8b2a61
      Willem de Bruijn authored
      Syzbot reported two new paths to hit an internal WARNING using the
      new virtio gso type VIRTIO_NET_HDR_GSO_UDP_L4.
      
          RIP: 0010:skb_checksum_help+0x4a2/0x600 net/core/dev.c:3260
          skb len=64521 gso_size=344
      and
      
          RIP: 0010:skb_warn_bad_offload+0x118/0x240 net/core/dev.c:3262
      
      Older virtio types have historically had loose restrictions, leading
      to many entirely impractical fuzzer generated packets causing
      problems deep in the kernel stack. Ideally, we would have had strict
      validation for all types from the start.
      
      New virtio types can have tighter validation. Limit UDP GSO packets
      inserted via virtio to the same limits imposed by the UDP_SEGMENT
      socket interface:
      
      1. must use checksum offload
      2. checksum offload matches UDP header
      3. no more segments than UDP_MAX_SEGMENTS
      4. UDP GSO does not take modifier flags, notably SKB_GSO_TCP_ECN
      
      Fixes: 860b7f27 ("linux/virtio_net.h: Support USO offload in vnet header.")
      Reported-by: syzbot+01cdbc31e9c0ae9b33ac@syzkaller.appspotmail.com
      Closes: https://lore.kernel.org/netdev/0000000000005039270605eb0b7f@google.com/
      Reported-by: syzbot+c99d835ff081ca30f986@syzkaller.appspotmail.com
      Closes: https://lore.kernel.org/netdev/0000000000005426680605eb0b9f@google.com/Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc8b2a61
    • Manish Chopra's avatar
      qed: fix LL2 RX buffer allocation · 2f3389c7
      Manish Chopra authored
      Driver allocates the LL2 rx buffers from kmalloc()
      area to construct the skb using slab_build_skb()
      
      The required size allocation seems to have overlooked
      for accounting both skb_shared_info size and device
      placement padding bytes which results into the below
      panic when doing skb_put() for a standard MTU sized frame.
      
      skbuff: skb_over_panic: text:ffffffffc0b0225f len:1514 put:1514
      head:ff3dabceaf39c000 data:ff3dabceaf39c042 tail:0x62c end:0x566
      dev:<NULL>
      …
      skb_panic+0x48/0x4a
      skb_put.cold+0x10/0x10
      qed_ll2b_complete_rx_packet+0x14f/0x260 [qed]
      qed_ll2_rxq_handle_completion.constprop.0+0x169/0x200 [qed]
      qed_ll2_rxq_completion+0xba/0x320 [qed]
      qed_int_sp_dpc+0x1a7/0x1e0 [qed]
      
      This patch fixes this by accouting skb_shared_info and device
      placement padding size bytes when allocating the buffers.
      
      Cc: David S. Miller <davem@davemloft.net>
      Fixes: 0a7fb11c ("qed: Add Light L2 support")
      Signed-off-by: default avatarManish Chopra <manishc@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f3389c7
  6. 14 Oct, 2023 1 commit
    • Kees Cook's avatar
      Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name · cb3871b1
      Kees Cook authored
      The code pattern of memcpy(dst, src, strlen(src)) is almost always
      wrong. In this case it is wrong because it leaves memory uninitialized
      if it is less than sizeof(ni->name), and overflows ni->name when longer.
      
      Normally strtomem_pad() could be used here, but since ni->name is a
      trailing array in struct hci_mon_new_index, compilers that don't support
      -fstrict-flex-arrays=3 can't tell how large this array is via
      __builtin_object_size(). Instead, open-code the helper and use sizeof()
      since it will work correctly.
      
      Additionally mark ni->name as __nonstring since it appears to not be a
      %NUL terminated C string.
      
      Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Cc: Edward AD <twuufnxlz@gmail.com>
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: linux-bluetooth@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Fixes: 18f547f3 ("Bluetooth: hci_sock: fix slab oob read in create_monitor_event")
      Link: https://lore.kernel.org/lkml/202310110908.F2639D3276@keescook/Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      cb3871b1